We often get questions around the security of GiveGab Enterprise and its embeddable forms feature. This article addresses common concerns as well as some steps you should take to ensure your website that hosts these forms is secure.
The first step to establish your website's security is through the implementation of an SSL Certificate. Having an SSL Certificate is our recommended best practice, and is a key to building donor confidence because it’s visible to them in their web browser.
How We Secure Our Embeddable Forms
We are PCI Level I and SOC Compliant
We are required to undergo annual audits to obtain both levels of certification and as part of those audits we are required to undergo a litany of security tests including:
Code scanning analysis
Penetration testing
Log monitoring and analysis
Internal scanning & Intrusion detection
Access control policies and implementation
Incident response policies
PCI & SOC compliance of all vendors and data centers
Regular security patching as vulnerabilities are identified
Multiple layers of firewalls & HTTPS/SSL
We enforce HTTPSecure & Transport Layer Security (TLS) standard 1.2 or better
Our embeddable forms securely post to GiveGab Enterprise servers over HTTPS / TLS 1.2+. Additionally, our embeddable forms are shared securely from GiveGab Enterprise servers over HTTPS / TLS 1.2+. They are not kept separately on a website and are provided to each donor when needed ensuring only our most up to date programs are in use.
Our identity as a provider is protected by strong encryption making it impossible for a hacker to intercept or pretend to take payments on our behalf.
We ensure that the form program code we share out from the GiveGab Enterprise servers is securely handled and we ensure that the communication pipe between the embeddable form and the GiveGab Enterprise servers is secure and that the contents of that communication is not human readable. We provide a best practices based approach to providing the highest level of security available to your donors and customers and proudly maintain PCI Level 1 compliance.
What Types of Vulnerabilities Am I Most Susceptible To?
Infected or compromised personal computers. We can do little to protect a donor from their own machine. A personal computer, phone or tablet that has been infected will always be able to read the form a donor is filling out. Best practices in malware protection cannot be enforced from our systems. We do put considerable effort into keeping that malware away from the GiveGab Enterprise servers.
Infected or compromised websites. Our embeddable form is a program that runs on the donor’s personal computer. If the web page or web server are infected with malware it too will run on the donor’s computer. We use best practices in “closure” to segregate our program from other programs on the page but cannot protect against malware designed to compromise a donor’s experience.
Proactive Steps You Can Take to Combat Some Vulnerabilities
Here are some proactive steps you can take to position well against these vulnerabilities. We highly recommend you consult with your technology professionals, website hosting provider, and internal IT staff.
Be diligent in keeping your website hosting service and platform up to date.
WordPress and Magento eCommerce platform are often highly targeted. Keep these tools up to date at all times.
Talk to your provider and internal IT team to understand their patching and update practices.
Designate a person within your organization to receive and respond to security updates and subscribe to a security alert service ( https://www.qualys.com/research/security-alerts/).
Have your websites scanned for vulnerabilities and exploits regularly.
Use a reputable provider that maintains a current Vulnerability Database ( https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner).
Always run anti-virus software on every server ( https://home.sophos.com).
Utilize monitoring solutions for your web sites ( https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools).
Run an inspection tool, such as Google Chrome, on each of your pages that have forms. The Network tab will show a knowledgeable technologist if any data is being sent to any unknown sites.
Follow development best practices
CSP Headers
OWASP
Consider leveraging a code-analysis tool, particularly one that can evaluate JavaScript on your page, such as Veracode:
XSS Filtering
Passwords are very important.
Always change all default passwords when using tools like WordPress
Always use complex, long passwords. These can be hard to remember. Consider having organization staff utilize secure password vaults (https://1password.com) in order to discourage easy to guess and overly simple passwords.
Change passwords regularly. For server access, passwords should expire no more than every 90 days. For other passwords every 180 days.
A Common Threat - JSSniffer
Unfortunately, we have had clients exploited by JSSniffer (https://www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/). This is a program that gets inserted into the web page hosted on a customer’s web server. It is attached to their web page so that when a donor views the page it runs in secret on their personal computer. While running it will read anything the donor types and pipe that back to the hacker. This is only possible when a hacker has found a way in to the web server. Doorways for a hacker to do this include:
Default passwords on software that were never changed
Unpatched vulnerabilities on the server’s operating system
Unpatched vulnerabilities on the web server’s application code (such as WordPress)
Security flaws in custom applications on the web server
Stolen passwords from real employees with legitimate access
This is not an exhaustive list.
In conclusion, when a donor is asked for credit card & payment info or other Personally Identifiable Information (sometimes referred to as PII) on any web page special attention should be given to keeping that page secure. The consequences need no elaboration and can affect the reputation of good organizations in dramatic ways that impact donor trust.
This is why it is important to invest in the security of your web sites and regularly review the security of those sites.
GiveGab makes diligent efforts at prevention. We protect your data and your donors with commitment. Yet, we can only secure from our own embeddable form back to our Enterprise data center. Working together to contain these risks is an opportunity we can only succeed at as a team.